mhoye

3 months ago • •

mhoye
3 months ago • •

Modest log-reading infosec question: what am I looking at?

paste.mozilla.org/0A8Z3V3J

Those are Apache logs that suggest that somebody at that IP address is probing to see if some part of a node setup will be revealed if it picks... some particular user agent? And... what?

What is the chain of reasoning here?

Mozilla Community Pastebin/0A8Z3V3J (Plain Code)

^{paste.mozilla.org}

This entry was edited (3 months ago)

in reply to mhoye

silverwizard

in reply to mhoye • 3 months ago from ZoobopDeDoDop! •

@mhoye the very weird behaviour is it's all browser user agents. I didn't see curl, or a JS library. You'd think weird envs would be for automation

@mhoye

in reply to silverwizard

mhoye

in reply to silverwizard • 3 months ago • •

@silverwizard I'm pretty sure this is trying to scan for UA-detection misconfigurations that accidentally allow secrets access, not any sort of genuine testing.

@silverwizard

in reply to mhoye

silverwizard

in reply to mhoye • 3 months ago from ZoobopDeDoDop! •

@mhoye oh sure, actually using those UAs and not just lying

@mhoye

⇧

mhoye

mhoye 3 months ago • •

Mozilla Community Pastebin/0A8Z3V3J (Plain Code)

silverwizard

mhoye

silverwizard

mhoye
3 months ago • •